tencent cloud

PrevNext

Feedback

search by keyword

Recent Pages

Documentation
Tencent Kubernetes Engine
    Documentation
    Download PDF

    Cluster Audit

    Last updated: 2022-06-10 16:48:45
    Download PDF

      From now to December 31, 2021, audit log and event data generated by EKS is free of charge. Select Auto-create Logset or select Auto-create Log Topic in an existing logset. For more information, see Free Tier.

      Overview

      Cluster auditing is a feature based on Kubernetes Auditing that can store and search for the records of JSON logs with configurable policies generated by kube-apiserver. It records the access events of kube-apiserver and the activities of each user, admin, or system add-on that has an impact on the cluster in sequence.

      Strengths

      Cluster auditing provides a cluster monitoring dimension other than metrics. After it is enabled, Kubernetes can record every audit log of operations on the cluster. An audit log is a structured record in JSON format and includes metadata, requestObject, and responseObject. Metadata (containing the request context, such as who initiated the request, where it was initiated, and the accessed URI) is required, while requestObject and responseObject are optional, depending on the audit level. You can learn about the following information from logs:

      • Activities that occur in the cluster.
      • Occurrence time and objects of an activity.
      • Activity triggering time, triggering positions, and observation points.
      • Activity results and subsequent processing.

      Example of how to read an audit log

      {
 "kind":"Event",
 "apiVersion":"audit.k8s.io/v1",
 "level":"RequestResponse",
 "auditID":0a4376d5-307a-4e16-a049-24e017******,
 "stage":"ResponseComplete",
 // What happened
 "requestURI":"/apis/apps/v1/namespaces/default/deployments",
 "verb":"create",
 // Who initiated the request
 "user":{
   "username":"admin",
     "uid":"admin",
     "groups":[
       "system:masters",
       "system:authenticated"
     ]
 },
 // Where was it initiated
 "sourceIPs":[
   "10.0.6.68"
 ],
 "userAgent":"kubectl/v1.16.3 (linux/amd64) kubernetes/ald64d8",
 // What happened
 "objectRef":{
   "resource":"deployments",
   "namespace":"default",
   "name":"nginx-deployment",
   "apiGroup":"apps",
   "apiVersion":"v1"
 },
 // What's the result
 "responseStatus":{
   "metadata":{
   },
   "code":201
 },
 // Request and response details
 "requestObject":Object{...},
 "responseObject":Object{...},
 // When did it start or end
 "requestReceivedTimestamp":"2020-04-10T10:47:34.315746Z",
 "stageTimestamp":"2020-04-10T10:47:34.328942Z",
 // Reason for accepting or rejecting the request
 "annotations":{
   "authorization.k8s.io/decision":"allow",
   "authorization.k8s.io/reason":""
 }
}

      EKS Cluster Auditing Policy

      Audit level

      Unlike general logs, Kubernetes audit logs have a level that is more like a kind of verbose configuration, which is used to indicate the degree of detail of the recorded information. There are four levels as listed below:

      Parameter Description
      None Nothing is logged.
      Metadata The metadata (for example, user, time, resource, and operation) of the request is logged, excluding the message bodies of the request and response.
      Request The metadata and request message body are logged, excluding the response message body.
      RequestResponse All information is logged, including the metadata and the message bodies of the request and response.

      Audit stage

      Logging can occur at different stages as listed below:

      Parameter Description
      RequestReceived The log is created when the request is received.
      ResponseStarted The log is created after the message header of the response is sent. This parameter only applies to persistent connection requests, such as WATCH.
      ResponseComplete The log is created after the response is completely sent.
      Panic The request is not completed due to an internal server error.

      EKS audit policy

      By default, EKS creates audit logs when receiving requests. For most operations, audit logs at the RequestResponse level are created, except for the following cases:

      • GET, LIST, and WATCH requests are logged at the Request level.
      • Requests for Secrets, ConfigMaps, or TokenReviews are logged at the Metadata level.

      The following requests will not be logged:

      • Requests sent by system:kube-proxy to monitor Endpoints, Services, or Services/Status.
      • GET requests sent by system:unsecured for ConfigMaps in the kube-system namespace.
      • GET requests sent by kubelet for nodes or nodes/status.
      • GET and UPDATE requests sent by system:kube-controller-manager, system:kube-scheduler, or system:serviceaccount:endpoint-controller for Endpoints in the kube-system namespace.
      • GET requests sent by system:apiserver for namespaces, namespaces/status, or namespaces/finalize resources.
      • Requests sent to URLs that match /healthz*, /version, or /swagger*.

      Directions

      Enabling cluster auditing

      Note:

      To enable cluster auditing, you need to restart kube-apiserver. We recommend you not enable and disable it frequently.

      1. Log in to the TKE console.
      2. On the left sidebar, click Cluster Ops > Feature Management.
      3. At the top of the Feature Management page, select the region and the Elastic Cluster type as shown below:
      4. In the cluster list at the bottom, click Set in the Operation column on the right of the target cluster.
      5. In the Configure features pop-up window, click Edit on the right of Cluster Auditing as shown below:
      6. Select Enable Cluster Auditing and select the logset and log topic for storing audit logs. We recommend you select Auto-create Logset as shown below:
      7. Click OK.
      Contact Us

      Contact our sales team or business advisors to help your business.

      Contact Us
      Technical Support

      Open a ticket if you're looking for further assistance. Our Ticket is 7x24 avaliable.

      Submit a Ticket
      7x24 Phone Support
      tencent
      Copyright © 2013-2022 Tencent Cloud. All Rights Reserved.
      Privacy PolicyLegalCookie Policy